AWS SES DMARC Setup: Email Authentication in 5 Steps
To set up DMARC on AWS SES, verify your domain, enable Easy DKIM (three CNAMEs), add an SPF TXT record including amazonses.com, set a custom MAIL FROM subdomain for alignment, then publish a _dmarc TXT record with p=none and your reporting address. The whole process takes about 15 minutes in the AWS console. If the relationship between SPF, DKIM, and DMARC isn't clear yet, that primer is worth a read first. If you're standing up email for a brand-new project, our email setup guide for new SaaS covers the broader picture this guide fits into.
This guide covers the exact steps in the AWS console and your DNS provider. If you're using Route53, it's even simpler: SES can add the records for you.
Step 1: Verify your domain in SES
SES won't send from a domain you haven't verified. Log into the AWS console and navigate to SES → Verified identities → Create identity.
Select Domain and enter your domain name. SES will show you three options for verification:
- DNS CNAME record (fastest if you use Route53)
- Email verification (sends a confirmation to admin@yourdomain.com)
- DKIM-only (doesn't verify ownership, just adds DKIM records)
If you use Route53, click Create identity and SES will offer to add the verification record automatically. If you manage DNS elsewhere, SES gives you a CNAME to add manually. Either way, verification typically completes within minutes.
Once the status shows Verified, you can send from this domain.
Step 2: Set up Easy DKIM
With the domain still selected in SES, look for the DKIM section. Click Create DKIM (or Set DKIM).
SES will generate three CNAME records, not one. All three must exist in DNS for DKIM signing to work. They'll look like this:
[random_token_1]._domainkey.yourdomain.com CNAME [random_token_1].dkim.amazonses.com
[random_token_2]._domainkey.yourdomain.com CNAME [random_token_2].dkim.amazonses.com
[random_token_3]._domainkey.yourdomain.com CNAME [random_token_3].dkim.amazonses.com
If you use Route53, SES can add all three automatically. If you manage DNS elsewhere, copy each record and paste it into your DNS provider. The names are subdomains of _domainkey.yourdomain.com, and each points to a different dkim.amazonses.com subdomain.
Wait for DNS propagation (usually under 10 minutes) and the SES console will show DKIM signing enabled with three green checkmarks.
Step 3: Add SPF
Your SPF record tells mail servers that Amazon SES is authorized to send on behalf of your domain. Create a TXT record at your domain root:
v=spf1 include:amazonses.com ~all
If you already have an SPF record, add include:amazonses.com to it instead of replacing it. The order doesn't matter:
v=spf1 include:sendgrid.net include:amazonses.com ~all
Verify the record propagated using the SPF Record Checker. It should show no syntax errors and the amazonses.com include should be recognized.
Step 4: Add a custom MAIL FROM domain (optional but recommended)
By default, SES bounces and complaints come from an amazonses.com subdomain. This means your SPF alignment is relaxed-only; receivers can see the mail came from Amazon, but the envelope sender domain differs from your From: header domain.
To fix this, create a custom MAIL FROM domain. In SES, go to Verified identities → your domain → MAIL FROM settings and enter mail.yourdomain.com (or any subdomain you control).
SES will ask you to add two records:
- An MX record:
mail.yourdomain.com MX 10 feedback-smtp.yourdomain.amazonses.com
- A TXT record for bounce messages:
mail.yourdomain.com TXT "v=spf1 include:amazonses.com ~all"
Once these are live, SES will align the envelope sender to your domain and SPF alignment becomes strict, a significant improvement for deliverability.
Step 5: Publish your DMARC record
Now that SPF and DKIM are working, publish a DMARC record to monitor mail sent from your domain. Add a TXT record at _dmarc.yourdomain.com:
v=DMARC1; p=none; rua=mailto:d-{domain_id}@in.dmarcdrift.com
Replace {domain_id} with the UUID you see in your DMARCdrift dashboard after adding the domain. (If you haven't signed up yet, you can point it at your own email for now and update it later.)
p=none means messages failing DMARC still get delivered; you're just collecting visibility into misalignment and spoofing attempts. This is the right starting point for any new domain.
Verify your DMARC record using the DMARC Record Checker. It should show your policy and your rua address.
Test it
Send a test email from SES using the AWS console (SES → Verified identities → your domain → Send test email) or via the API. Check the headers of the received message:
dkim=pass (signature verified)
spf=pass (amazonses.com authorized)
dmarc=pass (SPF and DKIM aligned)
If you see dmarc=pass, everything is working. If not, common issues:
- DKIM records incomplete: Check that all three CNAME records are in DNS.
- SPF syntax error: Use the SPF Checker to catch missing or duplicate includes.
- Alignment broken: If your
From:header shows a different domain than your MAIL FROM, DMARC will fail. Use a custom MAIL FROM domain to fix this. - DMARC record missing: Double-check the record exists at
_dmarc.yourdomain.com.
Production access
If you're still in SES Sandbox, you can only send to verified addresses. Request production access via the AWS Support Center (no charge). The authentication setup is identical; you just gain the ability to send to any address.
Once your DMARC record is live, aggregate reports will start arriving within 24--48 hours. DMARCdrift turns the XML into a readable digest, free for one domain.
